Skip to content

Instantly share code, notes, and snippets.

@hamsolodev
Created June 26, 2013 01:09
Show Gist options
  • Save hamsolodev/5863920 to your computer and use it in GitHub Desktop.
Save hamsolodev/5863920 to your computer and use it in GitHub Desktop.

My ThinkPad X200 Arch Linux install process

TODO passphrase protected keyfiles…setup a keyfile in a remaining key-slot? something to make this properly two–factor.

Notes on installing Arch Linux from scratch, using LVM volumes inside a LUKS container.

Why not boot from removable media? Well, there's no real support for “plausible deniability” built in to LUKS/dm-crypt. This means that the benefit of booting from removable media—being able to keep secret the fact that the main HDD contains an encrypted filesystem—is pretty moot. A LUKS container must contain header data; giving away the fact that LUKS is in use.

Introduction

There's no Arch Linux installer as such; instead, there's a series of tasks carried out on the commandline to partition the disk and bootstrap base packages &c.

The following web pages were of use

Regarding disk encryption

Begin by booting the installation media, which drops into a root shell.

Secure erasure

So /dev/random most likely won't have enough entropy to be used as the random data source for erasure of an entire disk :( Use of /dev/urandom is more than likely OK for this purpose…however it should not at any time be relied upon for generation of cryptographic keys.

So use something like the following command to erase the target disk

dd if=/dev/urandom of=/dev/sda

…and wait a long time for it to complete!

There was mention of using dcfldd and the frandom module to more quickly generate random data for disk erasure…more research required. I'd like a faster (secure) disk erasure during install.

Preparing partitions

I decided to use the GUID Partition Table partitioning scheme, since it's all modern and futuristic and stuff. Not this means that we'll need to use Grub 2. There are some special requirements here, specifically for a BIOS boot partition (see this section of the GRUB wiki page).

So, use gdisk to create three partitions on the main disk.

  1. /boot, 200MB, type 8300.
  2. The “rest of” the disk to be used for a LUKS container. Don't give this any special type (stick with default 8300) it doesn't matter.
  3. BIOS boot partition, 1007KB, type EF02 (later, when grub is installed, this will automatically get used)
  • create this right at the beginning of the disk, and create it last (see below)

Note from wiki

gdisk will only allow you to create this (the BIOS boot partition) on the position which will waste the least amount of space (sector 34-2047) if you create it last, after all the other partitions. This is because gdisk will auto-align partitions to 2048-sector boundaries if possible

Format /boot

This will be mounted later on…

mkfs -t ext4 /dev/sda1

Create the LUKS container

Side note: cryptsetup benchmark tests the speed of various cryptographic operations on the system, so can be quite useful when determining which algorithms to use.

On my ThinkPad cryptsetup benchmark showed that the fastest cipher mode was serpent-xts, and after a little research I decided it was a sensible choice for security as well as performance.

We will create a LUKS container with the following features

* use Serpent (in XTS mode) for encryption
* use key size of 256 bits (by specifying 512, because the key gets split)
* use SHA512 for passphrase hashing
* allow more time for more iterations during passphrase hashing
* use /dev/random for key generation

No create the LUKS container, which will ultimately store an LVM Volume Group

cryptsetup -c serpent-xts-plain64 -h sha512 -i 5000 -y -s 512 --use-random luksFormat /dev/sda2

You'll be prompted twice for a passphrase…

TODO Is there an equivalent to geli's “data authentication” behaviour?

Open the LUKS container

This will map the opened container to /dev/mapper/lvm

cryptsetup luksOpen /dev/sda2 lvm

LVM

Make the LUKS container just created, and opened, above into a LVM Physical Volume

pvcreate /dev/mapper/lvm

Create a Volume Group backed by the newly create Physical Volume

vgcreate vg0 /dev/mapper/lvm

Create some Logical Volumes within our Volume Group for root, var, usr, and home

lvcreate -L 250M vg0 -n root
lvcreate -L 500M vg0 -n var
lvcreate -L 1.5G vg0 -n usr
lvcreate -L 500M vg0 -n home

Format Logical Volumes

Going to use ext4 for everything.

mkfs -t ext4 /dev/mapper/vg0-root
mkfs -t ext4 /dev/mapper/vg0-var
mkfs -t ext4 /dev/mapper/vg0-usr
mkfs -t ext4 /dev/mapper/vg0-home

Mount Logical Volumes

First, mount the root volume onto /mnt

mount /dev/mapper/vg0-root /mnt

Then create mountpoints for the other volumes

mkdir /mnt/{boot,var,usr,home}

Finally, mount the volumes

mount /dev/sda2 /mnt/boot
mount /dev/mapper/vg0-var /mnt/var
mount /dev/mapper/vg0-usr /mnt/usr
mount /dev/mapper/vg0-home /mnt/home

Install the base system

First, edit /etc/pacman.d/mirrorlist to pick a mirror geographically close to me. I picked the iiNet FTP server.

Then install the base system using pacstrap /mnt base base-devel.

Generate an /etc/fstab

I like using the UUID of volumes:

genfstab -p /mnt -U >> /mnt/etc/fstab

?? Also, change the /etc/fstab entry for /usr, so the “pass” option is 0.

Configure the system to boot

All these sub–steps should be carried out while chrooted into the system. This is required because we'll be running commands to configure locales and whatnot.

arch-chroot /mnt

Install GRUB 2 bootloader package

This is a straightforward install of the grub-bios package

pacman -S grub-bios

Set the hostname, timezone & locale

Edit the /etc/hostname file and enter the desired hostname.

Symlink the appropriate zoneinfo file into /etc/localtime:

ln -s /usr/share/zoneinfo/Australia/Melbourne /etc/localtime

The Arch Linux wiki page on Locales was the source of information used to arrive at my desired locale configuration.

Enable some locales by uncommenting them in /etc/locale.gen

en_AU.UTF-8
en_GB.UTF-8
en_US.UTF-8

To set a system–wide locale, with fallbacks, edit /etc/locale.conf and add the following lines

# Enable UTF-8 with Australian settings.
LANG="en_AU.UTF-8"
# specify some fallback locales
LANGUAGE="en_AU:en_GB:en"
# Keep the default sort order, which means files starting with '.' appear first
LC_COLLATE="C"

Then, run locale-gen to generate the locales.

Console keymap and font

TODO Arch Linux wiki page on keymaps. I'll want to remap Caps Lock to Ctrl. (Add console keymap and font preferences in /etc/vconsole.conf)

RAM disk config

The Arch Linux wiki page on mkinitcpio was used to derive appropriate settings for my system.

See mkinitcpio -H <hook name> for help on a specific hook.

Edit the file /etc/mkinitcpio.conf, and make sure the following HOOKS are present…

Since all volumes, except /boot are contained within a LUKS container, the RAM disk will need to know about LUKS

encryption  # allows LUKS containers to be opened

Since root device is on LVM (after block and encryption, before filesystems)

lvm2  # allows root partition to exist on a logical volume

Since /usr is its own partition (after lvm2)

shutdown  # allows /usr to be properly unmounted
fsck  # to allow fsck of /usr at boot
usr  # mount /usr immediately after / and ensure graceful unmount at reboot

So, the full HOOKS string should look something like

base udev autodetect modconf block encrypt lvm2 filesystems keyboard shutdown fsck usr

Now run mkinitcpio -p linux to create the RAM disk.

Grub configuration

It is necessary to tell grub about the LUKS container. Edit /etc/default/grub and change GRUB_CMDLINE_LINUX to include

cryptdevice=/dev/sda3:lvm

You might want to set some other nice options like colours…

Run grub-mkconfig -o /boot/grub/grub.cfg, to take into account updates to /etc/default/grub.

Grub installation to GPT

See the Arch wiki page on GRUB2.

grub-install --target=i386-pc --recheck --debug /dev/sda
mkdir -p /boot/grub/locale
cp /usr/share/locale/en\@quot/LC_MESSAGES/grub.mo /boot/grub/locale/en.mo

Change root pw, exit chroot, unmount volumes, reboot

A simple passwd, followed by exit, and a umount /mnt/{boot,home,var,usr}. Finally a reboot.

Final steps, first reboot

DHCP

When first rebooting the new system, permanently enabling DHCP networking must be done with: systemctl enable dhcpcd. Also start it now, too.

Wireless network configuration

Install packages which are require for connection to wireless networks

pacman -S iw wpa_supplicant wpa_actiond

And install dialog, required to use the console front-end wifi-menu

pacman -S dialog

To bring the link up:

ip link set wlp3s0 up

To scan for networks

iw dev wlp3s0 scan

mDNS

Install avahi pacman -S avahi nss-mdns, and change the hosts: line in /etc/nssswitch.conf to:

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4

Enable avahi: systemctl enable avahi-daemon, systemctl start avahi-daemon.

Install net-tools (for ifconfig etc.) and OpenSSH: pacman -S net-tools openssh, then enable (if desired) the ssh service: systemctl enable sshd.

Install rsyslog: pacman -S rsyslog, and enable the service systemctl enable rsyslog.

Install ufw, and configure the basics: pacman -S ufw, systemctl enable ufw, systemctl start ufw, ufw default deny, ufw allow SSH, ufw enable.

Use tune2fs to reduce the amount of reserved space used by each ext4 volume…any other options?

ThinkPad X200

Arch wiki page on Lenovo ThinkPad X200. How to reduce power consumption.

Install Xorg, with an appropriate driver, and emacs with pacman -S xorg-apps xorg-server xf86-video-intel xorg-xinit emacs xterm.

Installed TLP, power saving tools for ThinkPads. This adds some commands

bluetooth  (turn bluetooth on or off)
wifi  (turn wifi on or off)
tlp-stat  (print stats about tlp)

Followed the instructions on Arch Linux wiki page on KEYMAP to remap some keys.

Set the console font after reading Arch Linux wiki page on Fonts. Ended up installing terminus-font and using ter-114n. Note that to make the font persist, I had to add i915 to MODULES in /etc/mkinitcpio.conf in order to load the graphics driver early!

AUR

Read the Arch wiki page on AUR and modify my /etc/makepkg.conf to enable options to improve performance on multi–core systems.

systemd

Read a lot on Arch wiki page on Systemd/User to get systemd --user working to manage my XOrg session (requires xorg-launch-helper from AUR), as well as run my SSHConfigFS and dropboxd instances.

CUPS for HP LaserJet P1102W

Using hp-setup -i <ipaddr> will download the “proprietary driver”, but still doesn't work?!

Backup of LUKS header

Important!

cryptsetup luksHeaderBackup /dev/<device> --header-backup-file /mnt/<backup>/<file>.img

Or similar…then store this (strongly encrypted) somewhere safe.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment